Research And Improvement Of Detection Model For Name Resolution Vulnerabilities

Running processes frequently access resources,such as files,sockets.These accesses is done with resources names and related calls,systems locate resources by names and offer relevant services.The process of locate resource by name is called name resolution,local attackers can use the access behavior and provide the right by destroying the process of name resolution.Name resolution vulnerabilities are related to many factors,such as program,resource access,and access control,the key to defending and detecting name resolution vulnerabilities is finding reasonable characteristics for program protection and vulnerability detection.Defense methods protect the process of resource access by program level or system level measures on access control policy,namespace,system call,race condition,and so on;detection methods identify vulnerabilities by function call,sequence,access permission,and other characteristics.The researches on models of vulnerabilities use characteristics to describe vulnerabilities,these models are the basis for defending and detecting vulnerabilities.In this thesis,we researched and improved the detection model for name resolution vulnerabilities from the following aspects.(1)We researched existing vulnerabilities models,classified them into detection models and general models by different research purposes,and concluded that the challenges of research on vulnerabilities models is the generality and the accuracy.(2)We analyzed the basal principle,attacking mode and classification of name resolution vulnerabilities.We also analyzed the existing researches on defense and detection of name resolution vulnerabilities,and pointed out existing problems.The defense methods have more overhead and less flexibility because of extra protections.The static detection methods lack run-time information,and the dynamic detection methods focus on attack condition and lack consideration on program behavior,both have false positives.(3)Based on the above problems,a detection model which combines attack condition and program behavior was proposed.This model describes the detection characteristics more accurately,and the major improvements are:proposing predictability of name to describe attack condition from an attacker's point of view;defining the preventive behavior by recognition function and information flow analyzing as the basis of vulnerability recognition;defining the dangerous calls as the trigger condition of detection to reduce the detection times of function calls.(4)A prototype detection system was implemented based on the detection model.The experiments evaluate this system from the detection capability against known vulnerabilities,the capability of eliminating false positives,and the detection times.The results show the excellent detection ability of the prototype system and the validity of the modified model.